Fluid Attacks' static code scans detect third-party dependencies used in your software and verify whether it is actually using the dependencies' vulnerable functions. Ensuring that detected dependency vulnerabilities are actually reachable by threat actors is possible thanks to Fluid Attacks' Reachability feature.
Know which dependencies have identified issues
Fluid Attacks allows you to understand your software supply chain, identifying the dependencies in your software and indicating for which of them advisories have been issued.
If using the platform, this information is shown in the
Supply chain section, along with details such as the dependency's location in your projects.
This section shows the dependencies with associated advisories as "issues" and not necessarily "vulnerabilities." That is, you are only being informed that your software might be vulnerable. To find out whether the usage of those dependencies actually constitutes a vulnerability in your software, it is necessary to analyze your code verifying that it does use the dependencies' vulnerable functions. That is what Reachability accomplishes.
Know reachable dependency vulnerabilities
Leveraging the Reachability feature, Fluid Attacks' scans track down your use of the third-party dependencies' vulnerable functions. If it is confirmed that your software is at risk by using those dependencies, then you get the corresponding vulnerability reports.
To identify a reachable dependency vulnerability,
- select a type of vulnerability,
- click on a location, and
- identify whether a CVE ID is mentioned within the vulnerability description in the Details tab.
Moreover, in the
Evidence section of the type of vulnerability, you can see a screenshot showing your vulnerable code in context along with the mention of the CVE ID reported for the dependency.
Supported CVEs
The following table shows the Common Vulnerabilities and Exposures (
CVE) entries for which reachability analysis is currently possible, indicating the corresponding programming language.
Language
|
CVE IDs
|
Number of CVEs
|
C#
|
|
2
|
Java
|
|
2
|
JavaScript
|
|
10
|
Python
|
|
1
|
TypeScript
|
|
10
|
|
Total CVEs
|
15
|
Note: The total CVEs count is the sum of unique CVEs.
Free trial